February 25, 2013

New HIPAA Rules Clarify Patients' Right to Access Their Health Data

Last month, the Administration released long-awaited final
regulations to implement most of the improvements to federal health privacy
protections enacted by Congress in the HITECH provisions of the 2009 economic
stimulus legislation. As described earlier this month in iHealthBeat, the regulations include strengthened prohibitions against use of patient data
without consent for marketing communications; extension of federal privacy and
security protections to contractors (and subcontractors) of doctors, hospitals
and insurers; improved right of individuals to be notified of breaches of their
health data; and clarity regarding an individual’s right to receive digital copies
of her health information. This
blog post will focus specifically on the rights of patients under HIPAA to access
their data.

The HIPAA Privacy Rule has always provided individuals with
the right to access and obtain copies of health information maintained in
provider or health plan records. Under
the existing regulations, when a patient makes such a request, the provider or
plan has up to 30 days to provide the requested access or copy; however, the
provider or plan can take up to an additional 60 days if the information
requested is stored off-site. Patients
can also be charged a reasonable, cost-based fee for copies of their
information, covering the costs of both the labor and supplies. State law frequently sets maximum rates to be
to be paid by patients for copies of their medical records. Although this right of access has been part
of the Privacy Rule since it was first implemented, many patients have faced
obstacles in trying to obtain timely copies of their health information.

The Privacy Rule covers identifiable health information in
both paper and digital form, so this right of patient access has always applied
to information kept in electronic as well as paper medical records. However, in HITECH, Congress made it clear
that when a patient’s information is stored electronically, patients have the
right to obtain an electronic copy and to have that copy sent at their request
to another person or entity, like a doctor, a caregiver, or a personal health
record or mobile health app.

The new regulations released last month implement this
mandate and also clarify how this right to digital data can be exercised. Patients have the right to an electronic copy
“in the form or format they request” – but only if the provider or plan is
capable of producing the copy in the requested format. If the data isn’t “readily producible” in the
format requested by the patient, the provider or plan and the patient are
expected to come to an agreement on an acceptable, machine-readable digital
format. In other words, patients cannot
demand that their providers run out and purchase new technology in order to
produce data in a specific, desired format; however, providers must have the
capability of providing patients with some type of machine readable, electronic
copy of their data. HHS suggests that MS
Word, Excel, text, HTML or PDF are among the possible options. The patient can also choose to obtain a paper
copy if none of the provider’s digital formats meets the patient’s needs.

The new rules still allow providers and plans to ask patients
to submit written requests for copies of their health information, although this
is not required by the Privacy Rule.
However, if the patient wants to have the electronic copy transmitted
directly to a third party, the new rules require that this request be in
writing, be signed by the patient, and clearly identify designated recipient
and where the information is to be sent.
(The writing and signature can be digital.) Per existing requirements of the HIPAA
Privacy and Security rules, providers or plans sending identifiable health
information per a patient’s request must take steps to verify the identity of
the patient, send the right records, and implement safeguards to protect the
information in transit.

Of note, although the Security Rule requires providers and
plans to implement safeguards for transmitting identifiable health information,
patients also have the right to get their copies through unencrypted e-mail if
they so choose – a point that was clarified in the material accompanying the
new regulations. Providers and plans are
first required to advise patients of the risk of receiving information through
unsecure channels; but if the patient opts for the unsecure method, she has the
right to receive her information in this way.
(This advice on the risks of unsecure e-mail does not have to be
extensive; it is enough to notify the patient there is “some level of risk that
the information in the e-mail could be read by a third party.” ) Some patients
prefer the convenience of having their data sent directly to them at their
regular e-mail address; others will welcome the option of having a secure
method. HHS makes clear in the new
regulations that the patient has the right to choose.

Patients can still be charged for digital copies of their
data – but only for the labor costs associated with preparing the copy (not
including fees for “retrieval”). If the
patient chooses to purchase supplies (like a flash drive) from the provider or
plan, there may be a reasonable charge imposed for those.

Although the new regulations make important clarifications
to HIPAA’s patient access right, providers and plans can still take a fairly long
time to respond to patient requests for data:
up to 30 days, and an additional 30 days for information stored
off-site. HHS encourages faster response
times but noted a need to set the outer boundaries at a level that would enable
entities to comply regardless of the nature of the patient’s request or the
location of the data. As noted in a
previous blog post, the requirements for Stage 2 will provide some patients
with more timely, on-line access to relevant digital health information. However, these requirements apply only
to entities participating in the Meaningful Use program, and those entities are
only required to make this access available to a portion of their
patients. The HIPAA access rules provide
the baseline for all providers using digital records and for some patients will
constitute the only available pathway for obtaining copies of their data.

The final rules are effective March 26, 2013; entities
covered by the rule have another 180 days to come into compliance with most
provisions. Until the effective date,
the existing HIPAA rules on patient access remain in place.

Comments

Last month, the Administration released long-awaited final
regulations to implement most of the improvements to federal health privacy
protections enacted by Congress in the HITECH provisions of the 2009 economic
stimulus legislation. As described earlier this month in iHealthBeat, the regulations include strengthened prohibitions against use of patient data
without consent for marketing communications; extension of federal privacy and
security protections to contractors (and subcontractors) of doctors, hospitals
and insurers; improved right of individuals to be notified of breaches of their
health data; and clarity regarding an individual’s right to receive digital copies
of her health information. This
blog post will focus specifically on the rights of patients under HIPAA to access
their data.

The HIPAA Privacy Rule has always provided individuals with
the right to access and obtain copies of health information maintained in
provider or health plan records. Under
the existing regulations, when a patient makes such a request, the provider or
plan has up to 30 days to provide the requested access or copy; however, the
provider or plan can take up to an additional 60 days if the information
requested is stored off-site. Patients
can also be charged a reasonable, cost-based fee for copies of their
information, covering the costs of both the labor and supplies. State law frequently sets maximum rates to be
to be paid by patients for copies of their medical records. Although this right of access has been part
of the Privacy Rule since it was first implemented, many patients have faced
obstacles in trying to obtain timely copies of their health information.

The Privacy Rule covers identifiable health information in
both paper and digital form, so this right of patient access has always applied
to information kept in electronic as well as paper medical records. However, in HITECH, Congress made it clear
that when a patient’s information is stored electronically, patients have the
right to obtain an electronic copy and to have that copy sent at their request
to another person or entity, like a doctor, a caregiver, or a personal health
record or mobile health app.

The new regulations released last month implement this
mandate and also clarify how this right to digital data can be exercised. Patients have the right to an electronic copy
“in the form or format they request” – but only if the provider or plan is
capable of producing the copy in the requested format. If the data isn’t “readily producible” in the
format requested by the patient, the provider or plan and the patient are
expected to come to an agreement on an acceptable, machine-readable digital
format. In other words, patients cannot
demand that their providers run out and purchase new technology in order to
produce data in a specific, desired format; however, providers must have the
capability of providing patients with some type of machine readable, electronic
copy of their data. HHS suggests that MS
Word, Excel, text, HTML or PDF are among the possible options. The patient can also choose to obtain a paper
copy if none of the provider’s digital formats meets the patient’s needs.

The new rules still allow providers and plans to ask patients
to submit written requests for copies of their health information, although this
is not required by the Privacy Rule.
However, if the patient wants to have the electronic copy transmitted
directly to a third party, the new rules require that this request be in
writing, be signed by the patient, and clearly identify designated recipient
and where the information is to be sent.
(The writing and signature can be digital.) Per existing requirements of the HIPAA
Privacy and Security rules, providers or plans sending identifiable health
information per a patient’s request must take steps to verify the identity of
the patient, send the right records, and implement safeguards to protect the
information in transit.

Of note, although the Security Rule requires providers and
plans to implement safeguards for transmitting identifiable health information,
patients also have the right to get their copies through unencrypted e-mail if
they so choose – a point that was clarified in the material accompanying the
new regulations. Providers and plans are
first required to advise patients of the risk of receiving information through
unsecure channels; but if the patient opts for the unsecure method, she has the
right to receive her information in this way.
(This advice on the risks of unsecure e-mail does not have to be
extensive; it is enough to notify the patient there is “some level of risk that
the information in the e-mail could be read by a third party.” ) Some patients
prefer the convenience of having their data sent directly to them at their
regular e-mail address; others will welcome the option of having a secure
method. HHS makes clear in the new
regulations that the patient has the right to choose.

Patients can still be charged for digital copies of their
data – but only for the labor costs associated with preparing the copy (not
including fees for “retrieval”). If the
patient chooses to purchase supplies (like a flash drive) from the provider or
plan, there may be a reasonable charge imposed for those.

Although the new regulations make important clarifications
to HIPAA’s patient access right, providers and plans can still take a fairly long
time to respond to patient requests for data:
up to 30 days, and an additional 30 days for information stored
off-site. HHS encourages faster response
times but noted a need to set the outer boundaries at a level that would enable
entities to comply regardless of the nature of the patient’s request or the
location of the data. As noted in a
previous blog post, the requirements for Stage 2 will provide some patients
with more timely, on-line access to relevant digital health information. However, these requirements apply only
to entities participating in the Meaningful Use program, and those entities are
only required to make this access available to a portion of their
patients. The HIPAA access rules provide
the baseline for all providers using digital records and for some patients will
constitute the only available pathway for obtaining copies of their data.

The final rules are effective March 26, 2013; entities
covered by the rule have another 180 days to come into compliance with most
provisions. Until the effective date,
the existing HIPAA rules on patient access remain in place.